https://pulumi.com logo
Title
s

steep-toddler-94095

07/22/2021, 9:27 PM
Is there a recommended pattern when dealing with multiple AWS accounts in a single organization? Is it better for the state to live in a single bucket in the root account or should the state for each account be in a bucket in that account?
b

bored-oyster-3147

07/22/2021, 9:31 PM
we have a "ops" account where we put devops related stuff. Our single state bucket is in that account
👍 1
keep in mind that if you do separate buckets, or even the same bucket separated by folders, you can't do `StackReference`s across projects
🙏 1
l

little-cartoon-10569

07/22/2021, 9:38 PM
This is the critical factor imo. Using a single backend URL for all stacks allows sharing of (e.g.) resourceIds between stacks. If the stacks are completely unrelated, or you want to limit info exchange between them to just the Pulumi config or similar, then separate backend URLs is the way to go. This will result in smaller state files, with faster operation times (e.g. actions like export/modify/import) resulting.
However this is rarely the case in my experience. E.g. app stacks often refer to many values in shared infra stacks, and StackReferences make that easy.
s

steep-toddler-94095

07/22/2021, 11:31 PM
good points. thanks for your inputs!
g

great-sunset-355

07/23/2021, 8:54 AM
Great points from tenwit, I worked in a similar environment with multiple AWS accounts shared by different dev teams. Instead of using 1 state bucket for each team we recommended to simply use some values as configuration, eg
vpc id
or
subnet id
. The decision here very much depends on how dynamic your environment so you'll need to decide which resources you want to cause the updates.